RubySec

Providing security resources for the Ruby community

CVE-2026-54498 (view_component): around_render HTML-Safety Bypass

around_render HTML-Safety Bypass

Published: June 04, 2026

SECURITY IDENTIFIERS

GEM

view_component

SEVERITY

CVSS v3.x: 8.7 (High)

UNAFFECTED VERSIONS

< 4.0.0

PATCHED VERSIONS

>= 4.12.0

DESCRIPTION

Summary

ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data.

The issue is especially dangerous in collection rendering because ViewComponent::Collection#render_in joins the per-item results and marks the entire output as html_safe, converting raw unsafe output into a trusted ActiveSupport::SafeBuffer.

RELATED